From 036d6fdca871d4fcbb641c7d5d2e1f6d297ea900 Mon Sep 17 00:00:00 2001 From: Patrick Neff Date: Sun, 5 Jan 2025 23:42:49 +0100 Subject: [PATCH] add sops --- .sops.yaml | 19 +++ flake.lock | 36 ++++- flake.nix | 11 ++ modules/home-manager/sops/default.nix | 20 +++ modules/nixos/default.nix | 1 + modules/nixos/mediacenter/default.nix | 7 +- .../nixos/mediacenter/jellyfin/default.nix | 7 + modules/nixos/mediacenter/kodi/default.nix | 142 +++++++++--------- .../kodi/secrets/advancedsettings.xml | 24 +++ .../mediacenter/kodi/secrets/passwords.xml | 24 +++ .../mediacenter/kodi/secrets/youtube.json | 40 +++++ modules/nixos/sops/default.nix | 21 +++ profiles/home-manager/odie@asgard/home.nix | 1 + profiles/nixos/pi0/configuration.nix | 118 ++++++++++++++- remote-deploy.sh | 10 ++ secrets/general.yaml | 66 ++++++++ 16 files changed, 461 insertions(+), 86 deletions(-) create mode 100644 .sops.yaml create mode 100644 modules/home-manager/sops/default.nix create mode 100644 modules/nixos/mediacenter/jellyfin/default.nix create mode 100644 modules/nixos/mediacenter/kodi/secrets/advancedsettings.xml create mode 100644 modules/nixos/mediacenter/kodi/secrets/passwords.xml create mode 100644 modules/nixos/mediacenter/kodi/secrets/youtube.json create mode 100644 modules/nixos/sops/default.nix create mode 100755 remote-deploy.sh create mode 100644 secrets/general.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..f0f3d37 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,19 @@ +keys: + - &admin_odie age1ac27ksfvxydn20g29s09j66mag45vee3cgk5namsnup5e4l9v3sq7kypg7 + - &server_asgard age1nnx85asl5nmxmurr3g8mazcsggvtazt0hpauw42l7v4k3de74s6s649w0k + - &server_pi0 age1v522tvf0gclgjnnu8q0mekl0rcmpdk7d7lwravwazstfn9zqhecsngvhpf + #- &server_pi1 age1u6k49fuphu4n5p7hhuxd03ktwhujr55mrs72cqe6ttfagljpc5asa0jsgx + - &server_pi1 age16vz5m0stsh39ajn3zhkzj7x7zfgexlx3zzk2k9vrrrsn78tyzd2qmjkt2a + - &server_nixos age1j8wprrs23m46h7xl26su3k6uztnvza5k89c9uk9rwwzefv8a4yvqpscxun + - &workstation_wanaheim age1jerjsfhnenzzqtnuxez8g79kc0xxulxyhu2evp9p6gjyswu2syqskgt62v + +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_odie + - *server_asgard + - *server_pi0 + - *server_pi1 + - *server_nixos + - *workstation_wanaheim diff --git a/flake.lock b/flake.lock index c1d59fc..8e38b44 100644 --- a/flake.lock +++ b/flake.lock @@ -486,18 +486,17 @@ "vanillatweaks": "vanillatweaks" }, "locked": { - "lastModified": 1735393933, - "narHash": "sha256-RsPZaV73pdgEvMNuKDGL+qAzSCvs1upIp5fr7583n9g=", - "ref": "master", - "rev": "c3d339a685ac9b86d8c4b8908a0fc81605d5e6b7", - "revCount": 332, + "lastModified": 1735390427, + "narHash": "sha256-M/uZbGQN2VLdr6G5ryFAaWYf+aebpckPSLiSBrYHsjE=", + "ref": "refs/heads/master", + "rev": "f2da3bd27832b7e3bb2325e1a3238a874ebd95d9", + "revCount": 331, "type": "git", - "url": "file:///home/odie/Code/nix/minecraft-server-flake" + "url": "ssh://git@git.gaja-group.com/gaja-group/minecraft-server-flake.git" }, "original": { - "ref": "master", "type": "git", - "url": "file:///home/odie/Code/nix/minecraft-server-flake" + "url": "ssh://git@git.gaja-group.com/gaja-group/minecraft-server-flake.git" } }, "neorg": { @@ -1141,10 +1140,31 @@ "nvim-spell-de-latin1-suggestions": "nvim-spell-de-latin1-suggestions", "nvim-spell-de-utf8-dictionary": "nvim-spell-de-utf8-dictionary", "nvim-spell-de-utf8-suggestions": "nvim-spell-de-utf8-suggestions", + "sops-nix": "sops-nix", "systems": "systems_2", "vim-mcfunction": "vim-mcfunction" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736064798, + "narHash": "sha256-xJRN0FmX9QJ6+w8eIIIxzBU1AyQcLKJ1M/Gp6lnSD20=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5dc08f9cc77f03b43aacffdfbc8316807773c930", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 8bf6b99..db71828 100644 --- a/flake.nix +++ b/flake.nix @@ -45,6 +45,7 @@ home-manager = import ./modules/nixos/home-manager; server = import ./modules/nixos/server; games = import ./modules/nixos/games; + sops = import ./modules/nixos/sops; }; nixosConfigurations = flakeLib.mkNixosConfiguration @@ -62,6 +63,11 @@ system = "x86_64-linux"; hostName = "wsl-dev"; } + // flakeLib.mkNixosConfiguration { + inherit inputs outputs nixpkgs vars flakeLib overlays; + system = "aarch64-linux"; + hostName = "pi0"; + } // flakeLib.mkNixosConfiguration { inherit inputs outputs nixpkgs vars flakeLib overlays; system = "aarch64-linux"; @@ -82,6 +88,7 @@ mediacenter = import ./modules/home-manager/mediacenter; user = import ./modules/home-manager/user; binary-cache = import ./modules/home-manager/binary-cache; + sops = import ./modules/home-manager/sops; }; homeConfigurations = flakeLib.mkHomeConfiguration @@ -150,6 +157,10 @@ url = "github:numtide/flake-utils"; inputs.systems.follows = "systems"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nixos-wsl = { url = "github:nix-community/NixOS-WSL"; inputs = { diff --git a/modules/home-manager/sops/default.nix b/modules/home-manager/sops/default.nix new file mode 100644 index 0000000..0e1898a --- /dev/null +++ b/modules/home-manager/sops/default.nix @@ -0,0 +1,20 @@ +{ inputs, ... }: { + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + + sops = { + age.keyFile = "/home/user/.age-key.txt"; # must have no password! + # It's also possible to use a ssh key, but only when it has no password: + #age.sshKeyPaths = [ "/home/user/path-to-ssh-key" ]; + defaultSopsFile = ../../../secrets/general.yaml; + secrets.hello = { + # sopsFile = ./secrets.yml.enc; # optionally define per-secret files + + # %r gets replaced with a runtime directory, use %% to specify a '%' + # sign. Runtime dir is $XDG_RUNTIME_DIR on linux and $(getconf + # DARWIN_USER_TEMP_DIR) on darwin. + path = "%r/hello"; + }; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index bded33f..ebbff4a 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -2,5 +2,6 @@ _: { imports = [ ./base ./wsl + ./sops ]; } diff --git a/modules/nixos/mediacenter/default.nix b/modules/nixos/mediacenter/default.nix index 77d434f..a4647d9 100644 --- a/modules/nixos/mediacenter/default.nix +++ b/modules/nixos/mediacenter/default.nix @@ -1,8 +1,7 @@ -{lib, ...}: -with lib; { +_: +{ imports = [ ./kodi + ./jellyfin ]; - - mediacenter.kodi.enable = mkDefault true; } diff --git a/modules/nixos/mediacenter/jellyfin/default.nix b/modules/nixos/mediacenter/jellyfin/default.nix new file mode 100644 index 0000000..b563577 --- /dev/null +++ b/modules/nixos/mediacenter/jellyfin/default.nix @@ -0,0 +1,7 @@ +{ + services.jellyfin = { + enable = true; + openFirewall = true; + }; +} + diff --git a/modules/nixos/mediacenter/kodi/default.nix b/modules/nixos/mediacenter/kodi/default.nix index 8c8b923..b721ffa 100644 --- a/modules/nixos/mediacenter/kodi/default.nix +++ b/modules/nixos/mediacenter/kodi/default.nix @@ -1,76 +1,76 @@ -{ - pkgs, - config, - lib, - ... -}: let - cfg = config.mediacenter.kodi; +{ pkgs, ... }: +let + user = "kodi"; + kodi-standalone = pkgs.kodi-wayland.withPackages + (kodiPkgs: with pkgs.kodiPackages; [ + youtube + pvr-iptvsimple + keymap + inputstream-adaptive + inputstream-ffmpegdirect + requests-cache + inputstreamhelper + advanced-emulator-launcher + jellyfin + ]); in - with lib; { - options = { - mediacenter.kodi = { - enable = mkEnableOption "kodi"; - }; +{ + services.cage = { + inherit user; + enable = true; + program = "${kodi-standalone}/bin/kodi-standalone"; + }; + + users.users.kodi = { + name = user; + isNormalUser = true; + extraGroups = [ + "audio" + "video" + "disk" + "plugdev" + "i2c" + "spi" + "power" + ]; + }; + + sops.secrets = { + "kodi-advancedsettings" = { + owner = user; + format = "binary"; + sopsFile = ./secrets/advancedsettings.xml; + path = "/home/${user}/.kodi/userdata/advancedsettings.xml"; }; - config = let - user = "kodi"; - starter = pkgs.callPackage ( - {pkgs, kodi-standalone, ...}: - pkgs.writeShellApplication { - name = "kodi-launcher"; - runtimeInputs = [kodi-standalone]; - text = '' - #!/usr/bin/env bash + "kodi-passwords" = { + owner = user; + format = "binary"; + sopsFile = ./secrets/passwords.xml; + path = "/home/${user}/.kodi/userdata/passwords.xml"; + }; + "kodi-youtube" = { + owner = user; + format = "binary"; + sopsFile = ./secrets/youtube.json; + path = "/home/${user}/.kodi/userdata/addon_data/plugin.video.youtube/api_keys.json"; + }; + }; - while true - do - ping -c1 svartalbenheim.odie.home.arpa && break - sleep 5 - done + networking.firewall.allowedTCPPorts = [ 8080 9090 ]; + environment.sessionVariables = { + WLR_LIBINPUT_NO_DEVICES = builtins.toString 1; + }; - while true - do - sleep 1 - kodi-standalone - done - ''; - } - ) {}; - in - lib.mkIf cfg.enable { - services.cage = { - inherit user; - enable = true; - program = "${starter}/bin/kodi-launcher"; - }; - - users.users.kodi = { - name = user; - isNormalUser = true; - extraGroups = [ - "audio" - "video" - "disk" - "plugdev" - "i2c" - "spi" - "power" - ]; - }; - - networking.firewall.allowedTCPPorts = [8080 9090]; - - environment.systemPackages = with pkgs; [ - kodi-standalone - alsa-utils - (retroarch.override { - cores = with libretro; [ - snes9x - pcsx-rearmed - nestopia - ]; - }) - ]; - }; - } + environment.systemPackages = with pkgs; [ + #kodi-standalone + alsa-utils + (retroarch.override { + cores = with libretro; [ + snes9x + pcsx-rearmed + nestopia + ]; + }) + ]; +} diff --git a/modules/nixos/mediacenter/kodi/secrets/advancedsettings.xml b/modules/nixos/mediacenter/kodi/secrets/advancedsettings.xml new file mode 100644 index 0000000..3e9e752 --- /dev/null +++ b/modules/nixos/mediacenter/kodi/secrets/advancedsettings.xml @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:fnIde9f3I9SsfnkR5wATIFUlz7AI2obVhxB3Iih/1V770KbfncCqEcq4PL4y5wGdMbCkwIAr3moGGYccDxlem2E4RSUk48Ot7A92mjKBbdOA1rwhbPlOgFFGcPqXkyAS0DHW5aRaVXSaCoT+4HgCBlxC7TCBuixlTf87zqbdPO7RrzIndxytCEPlGHO5GauP1F0Jai4Dg8p3L/K5e+EEiHLxKTNhbA3V7wHTAp5ufVPoqoEZPKhXEQdYQV1JO56bry8WzriZk8RDP6PirEIJnLz8gCGIpqWQ2zB0RL46++Nl4nIDKaPw958hRN8i9kb674Tb9/JYHjz55Jx0oDdJM5cXD9I3ED0QRtvjA1zmw2cUnh+ZBZC8Vf6psCNw4G/OYbeCC2tHo+jeWp4iHXCK/jxTNUVuvEB2hYT/TKyP1UAqAmuJ1eC+3X2yzcrcjVaqsbtoYcxZh5mySg3k2yIWoVYPaztErs3ppWqUp21QBuMIGtwphzx5FTE9/9gYvZxNqtbbOvE1O0BsIVZDeKUHt4B7uQEc+L+jGXaDBOaKAEm1SdbkSr6mOWv+cEK/sQxqXaU6nVktti+SumHhZCsIeJqC5VtiuQcwAsTfW8AnxbrY1VJCy/1LRB+I6+XKNimBT46oO3lZaetPUz9vd9PzSQ0cMNz5xgCcc49KZQI3UHhOQVqCyor5E0Au4C2drBss7seZLvopK8JjJB2/FCnYgTcisNxXcigb+eUAYR6nmbGRDG4+fZHCteMkWT3p7AbBsR4Zejh2BkRn/9Xp6gmQzak/LHJiZmo8XnuecgIO9I8belsshdfquNlOtieYYLsgWUDNxslD4TavxcR9WT7nKH/oAy8nYt8g6jPFbRZqLCS7d4DZ8u3pRcyMv4/LY8lfafICbSm7pVcAGj4AFHWOYGfB8x/cGj4C6UgKe67FM0PDfr45pYLEOHnv6ReiDLsb93DOOqTG8H8Su2fPDcjtPOjvndGRhUqdfWBQgn5Rb1gjMlFmWV4bsByO04nFV9oQQyYdrMNDV2NjlSzkokwjH2F/PazH8zYcADw/XMvhfTiYxrIOfZPRlpOLofygeMNk0FPxkuDV2sGO/ryDpC/ul8hxUfr2CH31rZYbhTwMwVEGwWIJu/RSOCn0l+1Cb6mFfX4Zhet9XPwKKTfULOelAaSwh/W3C/b74TerCbPfWE3UHQh+1t3RoMw6JIHZAQcPh5528lrY2pg4dB9WoIHQ+qqlog+LVl2cTeRpD4d6cx0dM322pUfQAMD05Nyd6007ZxTFavc4LIT2jTZQGZKej35sV13avYi9ri+Ws6mhget35CI/QMIb8J0pPl6LSTVCNWT3YcrZ80O2uQo+rl5c+t2wa5ryP6OqtUrdRreQnVlcU691xsTBcgpkAm7F3MB+llM2Q2R4jgvVX5fHP+NE2fkPXeVC9zGviGGlte8Z1jdnLjStofP6l71DIC/iDGmoUNgaoHLiwnLMuquU81cec/pZDxW39lIQeTrDFAuCZeu2YZ64PVzpZp3DFjKjZEfGlfQcRlFNGThTD99phPzeqMNQienHaRfij/m81P5OKGn8661Gu0a4kqHyhgBHhMGuFn3oQmByw7CfB/n4lsvt0/yJxs9MVRsjF+a2RlQc6o2UVvTBNXGaGWm7hwiVJ9mReuNANya96R0HbCAlFmOXC9ikshEZuNoXREQ9dYrjaS3PE3pKWPIgJuM7qoFrGAmorTUn0J9SMS7a+VC/o1gTy17ToyBR0INuEwqQ+TlzTouYEglCHAb5FUKMyrJMLtY3+aHE5hNm7RR3ZX6N4HHMTD9XSJfsE9wOeJIMhYO/vxNuTpgCCRp19OVMT4tMgBE/hQ+GcpO+rSpKQdBUEdK34JMWrOGgAJwujD+96WMZn3mN68TDnpOQ+FYLJzyELY5RyrByh38xClPZ8YWpMJEDIMO6jG6Hh2mO+lUIhcek+k8RnSe0paly6c8qdwLU+TBdfiLLI040XobGpYWYdtiFqc1OMutLA5wu4TbFNHc8MMhgka+kHuS7vH2xHzI8QCDHV9ts9HNBYrWMk3CrAK5xkQqpQ5o/THT7eMbavy82Mqi3+xOXAOyrXkBLjy3J41fXomJPvACMhnz/RBkkVpPv6SHPP6v84WWHMK8dPOaQAba+q6wEh/Mk3l4HAVbq/l6fHaIV9W7D5ydJDKR+dsP3Jh641Gn83e9MS4TM0QgZX8WdXNJ7dx6u1OiuSjS6lXwXgqRkXNyNvJGdlAh6lF282UoSqwMkrrYnwCmsUCVCIoA5BoGsHlqF3U7zAGUyrnj7j4yG1+/YzKvdD1HZsblSc/jmxsFPtTokjHp0IZx7sV0DjSoqPZAfHtrYfow7mLyN/qOnz1WRleXJw+q6fHAsRnewgwzc0pIHECQe1tQ3bv/shZj7kQTBKBqxnoRDKAPsxr4xAc4dwfWEyUWgxjt9apWxomZtzJymUVtj4FfSgM4aFuGWOMuZfXO303xfwcbv+3JRX4bQXDK+vn8ML/WrWMQ6arVDARfrx9BZkb8Wf41cJMX9ZhfoMNJfptut4vMSB0xZSnAIAHutWnAbKOk3ivTHdxPATjTe8YD3eUoB3PB0iAeuo8S9rfNVeZcQVgISrYoOhOo4dmGH+vrCl2hi3LhsiGiRv41nh4mGfk1VGY8uTw9/iqpUBToO6qhDraAnZlaYYvbwM8XK5vEeFx1jBQ+UjCG5c6qasqxx4G8mCa3s35Zt0joDWiRLe46cbhn//ki5VXMUvzCjcG5HXiOdKq7fFTJG6vytVucqM1VHGR2ekOrI0siH0ZvqzmBZZwXIwPRiqHK1b4qCjeZ6SVolG0s6g7FE6KYqFe91Qp6qWLM3RQPeND3U+9azIp3zfUIlhY5gmucIxmMERJet3myaufLOikkbQ/upUsQITb4cke/4Fiz64trjRFDpWzUkrpLTOxovJS0a8p3kj8RHLAUFB2ZbBvxJU4vlIKXeHMvrxmAMCv0FnPQk2lMROX1jxh5sP19Rs4YR9B+i2OMewzD7Hanox1DJdhvw2+/GgxuWkUgH+C6CIIB6vThTT6QL2WzvyxV6LRfJynD2nypk1qiTsLhYUbqucdALGeW9dqgY0+mB8vpNinhLG9j+gAqrEevJOgMiz/I3ozOIJPAnzF1xWAOQwi0eEnZgjcnSgxkO2wa1nk1u2omRMKhXix3lOcMapZSdvNp0+P+5gTBNqFI+fNOPCtBqj1K0TYRtkDhPhw0xCfoWxZGaawaB3eOGIVT/eLqkZMuPS43+HMHZjPornUfALk5t9X/su2sJMqy6TFCxdmwlW8c0IWyR,iv:nFT/yFOmF81VwjM5ab5dJQYrlkDeb9Ov9dzTkMxcUqY=,tag:t2UzVTh0cbuFOZm/RWyu9A==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ac27ksfvxydn20g29s09j66mag45vee3cgk5namsnup5e4l9v3sq7kypg7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbGN4YmZ6Q1JZamNIVDd0\nblBJQ3ZyNjBkYWlMdWFZeVB3bDU2NEE2SkdNCkhqc05hbWF5Y0RVS3Jld2pPeGFw\nZ2tXbm9rekpyWDU5d2xRL1RveDBCNTQKLS0tIEZBb3FxRGZuTlZOSE1TeWtsN2pI\nOFUwUEVKTklRSXY3d09zVEs2LzdvYmMKCvbPXIPfwz9XQGG6LqjgXQF3FEwpIrQQ\nxHcCVCFtTnuePDcBpiUa0LNO7pbykTLM8QDk720lXh5YeKcJYN1+wQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1v522tvf0gclgjnnu8q0mekl0rcmpdk7d7lwravwazstfn9zqhecsngvhpf", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cGZFU3FrZTVsNFE2ZGVn\nKzRabVo4Y2tLWEZrbW1aY1oydkZWbWFxV1FFClE5dkR2N1RFaWRvYlNwaUh0VGNx\nakVnbW84T3pGc1lGNzlLNmRMdHNzN2sKLS0tIEhZbENEUTdLQ0laL1B5Tmd3UW5h\nTWtlZFp2bXFHQ0tYK1pSV2xPSHhJeGMKV2WF/21OkoIUBSViIzX5pXZX+8OIwkuP\nb/4owrDej1otYCczA7upnO8d7r9HgdzV0PohZ9ghY+L7xMDtE2Pb0A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-01-05T05:36:06Z", + "mac": "ENC[AES256_GCM,data:Xm8OaOdmS+XIP1vIA1XUAzM0rvoSXtVmVa3TnyCL5d0hHtJ0WHgCadiEmdngNWaizZ/HyqUipMOR5dRbZSa2KErqvtMXABT5NeoTGQOf11Ug7E+cShfMkEedFXNJ45/qntgpqcd8JqfVHHtcbSb7ccnUapMOFRygtudDb/lHADA=,iv:bVEgaFam+OC5+iGOTA4tH8vU1RRcmuc5tAT03snYgXg=,tag:VMTJjmfH7Qf1/xyQWJFEhA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.0" + } +} \ No newline at end of file diff --git a/modules/nixos/mediacenter/kodi/secrets/passwords.xml b/modules/nixos/mediacenter/kodi/secrets/passwords.xml new file mode 100644 index 0000000..0918d40 --- /dev/null +++ b/modules/nixos/mediacenter/kodi/secrets/passwords.xml @@ -0,0 +1,24 @@ +{ + "data": "ENC[AES256_GCM,data:M9gOTRJvjxukwifouVoXTIcZhl2jm9xgATC/Zyo3TATDQkdtcJlzOLA8BzvVmfwYooJBdbp7WQMaxHhRuTH7zEDPv0QPvyTPc1PKqdyMsfDd20Bi0ghPIRTlXRxFOZKKUrOtWNfVx4fAYey54GvZbg18JpdmAtKFtfQtmUko7Uy/S6Ko/bQSsOofhBuCCej6XYEVst7Ukr2V4yO8GyM5U7LAolEGGhGhPZi63B1yLcNXCMeI,iv:htvA4uWnmvwA6dJt2mFf3jDuazjK8NiXakhD23dWaZE=,tag:nAI314LRj0rOEXCvEJoJuw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ac27ksfvxydn20g29s09j66mag45vee3cgk5namsnup5e4l9v3sq7kypg7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETWFndzB6RjJvbTVYZTdp\nd2VDUUJkNDBDR3R4Q1hxZGhsdk9yU1NFd2pzCmUxUU45cnEzVW9XK3dhcTA0NGxk\nQUozMk5jb0xDLzJxcFFPclp4VFBlYUkKLS0tIE83a1MwL3psL3I5U0wzRHJUcGxT\nVnNkWUJpK293TTJUeDk4aEtsekg4a0UKR+Pqu+ia+Kg/bHZP6l+bfRZQ1/9O92kZ\nhrfePv7Guxd5t91x+GyKOaGa6KituX7slskcQNc7JbKxhqXgZ1sXUA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1v522tvf0gclgjnnu8q0mekl0rcmpdk7d7lwravwazstfn9zqhecsngvhpf", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTHU4SFIxamhRNkZVWmtC\ndXl0czJkMFVNZEU3Q3ZScitwNW1Qbm9RZ2xJClk0N0E1TEpxVzQyOEtuTUxZR3lF\nSmQxM1VRam9Ici9vaXBWTGdYWjAvYTgKLS0tIEFsUS9UcmZFWWY2S05BTVVZdHcr\neHpuL3dzTEh3dEQxb1B1SDFFSDBhUkUKKgF3hmHbqVZDiCdkvFf8cCI00w0AFWHG\nSMtsQ3i7IhHMLK9RAUM2hlrl4uagF0Qh5WKTX4QlsHFPQur4Qe2qpw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-01-05T05:39:59Z", + "mac": "ENC[AES256_GCM,data:hXVntaa7Tq2A4y5wp9PicERTFjeDGDduxBd321FgRgvKO+9KG6jCzLGUX+dPRQtwM2A/DqRc74yxrorDyjpg5w4JVvfgFWBA+m2Jw6ZG5K/64/VLJgaV/c5dhmaBnyXfCly3441tZuwaocGNbYt2RSHI/izcN4f91iCeTzVFSA0=,iv:qFZ4wGPzQBmL/pZLqy/TDdKobbeqHf+vm6BPSLDsD9w=,tag:7K930Ym3/TbotLioWv4K5g==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.0" + } +} \ No newline at end of file diff --git a/modules/nixos/mediacenter/kodi/secrets/youtube.json b/modules/nixos/mediacenter/kodi/secrets/youtube.json new file mode 100644 index 0000000..1174840 --- /dev/null +++ b/modules/nixos/mediacenter/kodi/secrets/youtube.json @@ -0,0 +1,40 @@ +{ + "data": "ENC[AES256_GCM,data:2wfDxlxAfwClaj05cKIUUW6hDhFhzcaJiPhxfGEYv/O2gAaqe2vkKhUiFU6ZivbMVx9xYFlgGvVPoBggZ9zjqzM5jcC9ggDtX2U11NAk6YEcEgrkviUTK0ddaIDsLIaSu+ih1TzYFpMvprH9jyLsR5aGxwykq21wKw61DamSfw9uJ6fzpEldNmTzzHPPUEfKmV/7NE9Tg4s0CzeQhh4GUdvF36JQfKHeDlqaW+L+u5C/HZld/EQ+71m/egwjb3+bh/iCUAO4iGXmmBnu/IM5tR0WSiR8CbwzZsoW9hE9d5Fwfbeu+kyH7Rdgd/VPXTeKyb2c47GeuEt8h7YK6PRvySorcDCCSHP5CbordQHZfsX+hWl47rb9I1dfpYgKHAU=,iv:wYyVXmb80A70Wch4dy/tu4faAjp/DTnwPGXQJxvi3/w=,tag:Gjdr7HkP3CA6em2KEpIKlA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1ac27ksfvxydn20g29s09j66mag45vee3cgk5namsnup5e4l9v3sq7kypg7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZmoxZmFSb045K29wdE9P\nb2MrMENUUkkrdG1ReS93Q2tpa2pOeldETjE0CktuWHBtanVQY2VtN2NWWlNhdjJw\neDJqVGZBZlN2ZDRWNHY2QmNTbkMzdWMKLS0tIG5XQkZaTzljbXgzb3hkZUREdHVj\ncXA3RzZGT1M0OHBrK0RXNzlPeEJ5b0kKBMVfIOf87UL2iAMz3c2r4mROPBMncr5O\nSVJPGbr79iEAxvLtCJL8jDA0kUt4/L+/hGXCBgtX+VY7GD05cIeesA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nnx85asl5nmxmurr3g8mazcsggvtazt0hpauw42l7v4k3de74s6s649w0k", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Q3k1bW1qd3RlcGlhQkhI\nYzBLd09ZbG9yOVpGcFJ0dWs0a2p2dGEwYUFjCklpT21aTXhsclBUMUZybnI2TzF2\nYk9zTDVJQzNWSnZSU3ZCZnZPTnd3V1UKLS0tIDNuUTJzYWRwRnluR1Z0aTJRSE80\nWldmQnE5RTlkbVdidk1FMjVvVStvekUKUkY5iCm6PvY5BH696cJC8KSia2MyxM1C\nQrv79R4yZHC6pmn9/v513aiprX2GCbPyDUSMM2pOGeJZgvgfnNmlUQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1v522tvf0gclgjnnu8q0mekl0rcmpdk7d7lwravwazstfn9zqhecsngvhpf", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Q2ZsdVk4V3R2TVBadmZp\nOFN2aXg2N0owOTQxZG05RExrZ052MThDc2xZCjFhK2lmdGVibi9uMHE5dytUbEdW\nV3FndWRLbmJCZFVMRzZXMDZqU2kwRWMKLS0tIDcwTVo5bWxQcTV2Z0pQcE83Y2pD\naWJMMHFJWmtId3hqWTlUUXdQVk13U0UKlYm7hcHCu3Wmcns30u+8j6cpeK80VpR4\neocylEOaWoNNUZjU7ojWWQ6thCmJOt41o3YlX23kVDgeN4sc4FMKZw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age16vz5m0stsh39ajn3zhkzj7x7zfgexlx3zzk2k9vrrrsn78tyzd2qmjkt2a", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQ1hESkgwSjQzaXZCWUU1\nczR0dGUvamt1aEVoaVRUS3dmaTBOL0E1RUV3CkprU3ZGcWdjSGphQ3N6MUk3cTRx\nZVA4bkN3cVErYkFxU2ZzTy9uT1BndUUKLS0tIG1aRk51UjRleWU4Ync5aGhhc1Zt\nR0hkczUydW1HMjJRZ3MrWFZEbDlsTm8Kn2HibVG1t+Z4KhJv9S8wEJqCAhLsFS6v\nSrsYbE4ignDfXf2gN05wgYnqpSXeQHiJaBhLIKhBt+toEgDAXA6d6w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1j8wprrs23m46h7xl26su3k6uztnvza5k89c9uk9rwwzefv8a4yvqpscxun", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSmxwKzU2WVFHL2xEODNL\ndWt5bVdRT2JUa1U5a3JuREc0TEF0UkdBNnlrCkdSVTVvTjBaalZhY3NHQzRhZElX\ncnJlaEVlbTZleCtIeEZxOXdldWEreWcKLS0tIGc4ajBDcGtVODJIN25qSTFUTVN4\nVzltaVN4REo2c05KSnNEZWU4cFViclEKVtUtFv8817DuI/cQRleYVtqTXuqdJzjW\nE2nRwHjRPOCIGlKinUfmdG3t5YVz0iy0YHGkpsvo+elMC/pijpcryQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1jerjsfhnenzzqtnuxez8g79kc0xxulxyhu2evp9p6gjyswu2syqskgt62v", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUjdnbXJsWXQwb0hZTkYw\nRVYvZU5HbXZUMnY2WHNhRmFnTzQzaGZERlJFCmdIdzBocmVvSUVWUmJQK0ErNURI\nSjVWN2c3dmtwZWl3V25tV1VNMEtmZlkKLS0tIFVJR0g4NUZzcTJYUWN2QlI0WC9D\na3ZPdTRRekRlRDNFMjFPMnI4eG01TTgK7g8H2Quq1DzJYq8Im0j0bwyW5ajg0No8\njfNR05ULMPGbr4rctJ+lNTYeCWpl44eTpxFRWTe+wDSQ2XlCkp5jrA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-11-20T12:29:43Z", + "mac": "ENC[AES256_GCM,data:HgDwUqtV3qljKSq4Jds+57NX6unOmE7wuyDJoNkSzecNNSygXzM8qyRJwwFVfZUUpNLovNaorlHfCiDAK5y3DsbsIDabCSbI0Ch8nR8JxAFhJdKz7EzIY7mOORLPsPPb9wQ3gAC6TW1qYxEzUUrs4gUPGknQAZTlglriDC3ljtU=,iv:BpBV7/OE4v0pwYUAlrKIYDtB8jz2krnMSvd3TE299FI=,tag:NQaHzZUi6uh0l0bcqhyowg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix new file mode 100644 index 0000000..4e5c9fd --- /dev/null +++ b/modules/nixos/sops/default.nix @@ -0,0 +1,21 @@ +{ inputs, ... }: { + imports = [ inputs.sops-nix.nixosModules.sops ]; + # This will add secrets.yml to the nix store + # You can avoid this by adding a string to the full path instead, i.e. + # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; + sops = { + defaultSopsFile = ../../../secrets/general.yaml; + # This will automatically import SSH keys as age keys + age = { + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # This is using an age key that is expected to already be in the filesystem + keyFile = "/var/lib/sops-nix/key.txt"; + # This will generate a new key if the key specified above does not exist + generateKey = true; + }; + # This is the actual specification of the secrets. + secrets = { + hello = { }; + }; + }; +} diff --git a/profiles/home-manager/odie@asgard/home.nix b/profiles/home-manager/odie@asgard/home.nix index edf8ab9..bbca918 100644 --- a/profiles/home-manager/odie@asgard/home.nix +++ b/profiles/home-manager/odie@asgard/home.nix @@ -12,6 +12,7 @@ outputs.homeManagerModules.development outputs.homeManagerModules.games outputs.homeManagerModules.user + outputs.homeManagerModules.sops ]; desktop = { enable = true; diff --git a/profiles/nixos/pi0/configuration.nix b/profiles/nixos/pi0/configuration.nix index ff8ebf3..bc70bf0 100644 --- a/profiles/nixos/pi0/configuration.nix +++ b/profiles/nixos/pi0/configuration.nix @@ -1,18 +1,130 @@ -{ +/* + { outputs, flakeLib, vars, ... + }: { + imports = [ + outputs.nixosModules.base + outputs.nixosModules.home-manager + ./hardware-configuration.nix + ]; + + networking = { + inherit (vars) hostName domain; + }; + + home-manager.users = flakeLib.mkNixosHomeConfiguration {inherit vars;}; + } +*/ + +{ inputs +, pkgs +, outputs +, vars +, ... }: { imports = [ + inputs.nixos-hardware.nixosModules.raspberry-pi-4 outputs.nixosModules.base outputs.nixosModules.home-manager - ./hardware-configuration.nix + outputs.nixosModules.mediacenter ]; networking = { inherit (vars) hostName domain; }; - home-manager.users = flakeLib.mkNixosHomeConfiguration {inherit vars;}; + boot = { + kernelPackages = pkgs.linuxPackages_rpi4; + kernelParams = [ "snd_bcm2835.enable_headphones=1" "snd_bcm2835.enable_hdmi=1" ]; + initrd.availableKernelModules = [ + # Allows early (earlier) modesetting for the Raspberry Pi + "vc4" + "bcm2835_dma" + "i2c_bcm2835" + "xhci_pci" + "usbhid" + "usb_storage" + ]; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + "/media/net/hel_Public" = { + device = "hel.odie.home.arpa:/nfs/Public"; + fsType = "nfs"; + }; + "/media/net/hel_USB" = { + device = "hel.odie.home.arpa:/nfs/USB_Video"; + fsType = "nfs"; + }; + "/media/net/svartalbenheim_Video" = { + device = "svartalbenheim.odie.home.arpa:/volume1/media/Video"; + fsType = "nfs"; + }; + }; + + swapDevices = [{ + device = "/var/lib/swapfile"; + size = 4 * 1024; + }]; + + hardware = { + raspberry-pi."4" = { + apply-overlays-dtmerge.enable = true; + fkms-3d.enable = true; + }; + enableRedistributableFirmware = true; + }; + + home-manager = { + extraSpecialArgs = { + inherit inputs outputs; + }; + useGlobalPkgs = true; + useUserPackages = true; + users = { + kodi = import ../../home-manager/kodi/pi0; + odie = import ../../home-manager/odie/pi0; + }; + }; + + security.rtkit.enable = true; + + environment.systemPackages = with pkgs; [ + libraspberrypi + raspberrypi-eeprom + libcec + kitty + nfs-utils + ]; + + programs.zsh.enable = true; + + services.udev.extraRules = '' + # allow access to raspi cec device for video group (and optionally register it as a systemd device, used below) + KERNEL=="vchiq", GROUP="video", MODE="0660", TAG+="systemd", ENV{SYSTEMD_ALIAS}="/dev/vchiq" + ''; + + system = { + stateVersion = "23.05"; + }; + + nixpkgs = { + hostPlatform.system = "aarch64-linux"; + # Fix missing modules + # https://github.com/NixOS/nixpkgs/issues/154163 + overlays = [ + (final: prev: { + makeModulesClosure = x: prev.makeModulesClosure (x // { allowMissing = true; }); + libcec = prev.libcec.override { withLibraspberrypi = true; }; + }) + ]; + }; } diff --git a/remote-deploy.sh b/remote-deploy.sh new file mode 100755 index 0000000..80d04a6 --- /dev/null +++ b/remote-deploy.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env sh + +set -e + +HOSTNAME=$1 + +nix build -L ".#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel" +#nix copy --no-check-sigs --to "ssh-ng://root@${HOSTNAME}" "./result" +#ssh "root@${HOSTNAME}" nix-env -p /nix/var/nix/profiles/system --set "$(readlink ./result)" +#ssh "root@${HOSTNAME}" /nix/var/nix/profiles/system/bin/switch-to-configuration switch diff --git a/secrets/general.yaml b/secrets/general.yaml new file mode 100644 index 0000000..e721378 --- /dev/null +++ b/secrets/general.yaml @@ -0,0 +1,66 @@ +hello: ENC[AES256_GCM,data:XWkc+qY=,iv:wgY5hrihkWjCGOBluavDO6basgTll+WukeZAzsK3SIQ=,tag:5qYd+QcKOWpyzq1c0QlZEQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ac27ksfvxydn20g29s09j66mag45vee3cgk5namsnup5e4l9v3sq7kypg7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIOFVYT2doR05kOC9QV1JX + T0pSaEV2NVcyOElhcXE3V1d1UGIva0RxbFJNClFKTWpqSUt5L01KNnpZYnMrL0h3 + OE9OU2VVMWo3Z0p5cXlhQm5FUG5Cem8KLS0tIElDOGRvcXVvY1lsMmgrTTNKSGVi + RlJCSlE2NXZSc21qV1paWVVNK1BGVTQKq6164b3zZqKSff6weDeG9Lyul81vXSWU + BNPdVR98/moEz8QfiiUCs3UQTRUOY+/muWnpn5wTD/c0PYlfFtrNsQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nnx85asl5nmxmurr3g8mazcsggvtazt0hpauw42l7v4k3de74s6s649w0k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNnJjbysxWmdBb0F0MExj + cHBuMkE4bENNYUtYNWxPZ1JEVTV0NzdUdGpJCkUyd2xHVWprWXZKS2xJM3pZZFhF + N0ZZdUI2ZndRa3FLOWZRM3BnR3Y3M0kKLS0tIGZWYTc1YkZoNnNpSDBla3pSaWR5 + TStTQk85STFENlVXM1RMb2c5Vjd0djAKBKswTBhTtt5K8eVqmUl0m8lG7JF++qpU + WQm22QEVZ9SW/ZI6DUFN2L4Ga1cGDXPiXxZuTSjp9WElDiLg33XHEw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v522tvf0gclgjnnu8q0mekl0rcmpdk7d7lwravwazstfn9zqhecsngvhpf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6VEdLRnhWTnY2NCsrSlNN + QmRoY25TYnJzbnpIT2dIRi94V1dZV3JQZDM4CnlsTWlaQXFaaDFSSWFweml5NjZv + K3crc1VXakREMTlwSzEwWHo1di9LcmMKLS0tIEtzVk1STSthRVVGUGZhSnFzUmZD + M2lYbDRpWk9BaEYwcng1d2JDQ3JyQWcKkQB8k55P8xRMIix8MeI1YCOD+Uq2/z4W + Zek12JWzIFS1NMLduuO997AZk8bwF3yRqSpkYSuhx2dvxWOgusKprQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age16vz5m0stsh39ajn3zhkzj7x7zfgexlx3zzk2k9vrrrsn78tyzd2qmjkt2a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJa0FZU2FnUUQvQzZicklB + L25Gb0ZsdVlNNzV3Yld4Rzk3SG9DaUlQYWxnCjgvd2xqbEpiNjdRN1BwRk9vTllx + N1gyREMvbHFKSEh6Vi95VXYzZWNENk0KLS0tIDQzU3A0eEZtZTV0RmNVaEVXbSt6 + YVNxNzBRRUpxYkVhZWFUTlBQTmUvMGMKpc9rIUi08CFS3mAI6Iz9QgiEMj0lF/dK + tM2zk2A9hJSt/ZQ59XfrQitZc5IcW52T2lq5pMM+oUbASNREdrycbg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j8wprrs23m46h7xl26su3k6uztnvza5k89c9uk9rwwzefv8a4yvqpscxun + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNlRhYWd6SzkzTVRIUUNG + VThFSEdSdGZhOVFtNWRLK2NIQ1V3b2xiN1VRClpqUGw1b09JSU1zVzIrRlVJd0lV + R2xSK2k1K21sWkNRbk9TV2IvNm95TTgKLS0tIDZHNFhyYkx4c0FTb1I2RmVQQ2Ji + djhxdm5iV3Bwd2tsdnZUMmtFWXFLN3MKTm8Y5MT5vNBZ5Y0eSWcscTn/I4nAHnKy + Q0CK4m+HHPEikaUnd+v/bxqPwAwjZ2+R7HrR3wuEPdl0WEIbfQeRzw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jerjsfhnenzzqtnuxez8g79kc0xxulxyhu2evp9p6gjyswu2syqskgt62v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRnZyWGE4ZHk5dER3SHZK + bDlXb00zZmlCaC8rODcyY3laZ3Z4OStMQ0dnCk5WcUFzcDVsQmFMS2p0QTEySVhn + QlF6Nnd3anNDVG1DcGUyVGRoaGdwaXMKLS0tIGtMck1CdmNCT29PMmNNd1dyekM0 + bnc0d2JDV1ZHOWM4Q2FPUit4OWgzOW8KcVjHNOD1y9NRrye3uhe7L6yWc54DtMOj + lhI75HtNIDsgxLUrtBvUHA/sNBdlIE8tHpXnwnuj7qQRiu6d3leK3A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-05T22:35:45Z" + mac: ENC[AES256_GCM,data:Aayg2XiuB3+oiS/8wesJQnn8WonNG19loLmSToSR/5B2ha2CEaS9xBJZD0OOett6mumtn70aMK75quWCYTaQzf1vTaIBt1eDVHmBN3dWaTk/an5DtYmJ5oZKUCNiIOGo8jwDbd+e+nZYQXwI1pCn8BbyopsF+AhqOpl7WX8WzyY=,iv:fvJqyWT8M+DFCtCaqVO95HTEDzaOVrg0gwNpp3NOpb0=,tag:dnYnRdRSaaMvEDCNQ+sLUQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1